Analysis Date2015-02-25 12:04:52
MD59cdc2db89dbf02863dcddd94609a09b2
SHA1f36a04bfa690aeba84cde5f479f19efb57bad14b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 09d373d6924d4ba7df258d369c8b7f67 sha1: d586d6b2fe608d01f9cff5e49331a2417cab8540 size: 274944
Section.rdata md5: 5048ac01e37cd5e19dd34b16f07d8718 sha1: 6ef3795a1f7c68feac0c43b0130c1f71a298a58b size: 512
Section.data md5: 19ab241be241f1edec634cc8763e3086 sha1: 6cf3942838c5305f09828b87e8c6ac01fbb40957 size: 105472
Section.rsrc md5: 731c06088f699c1058a102845c5dbe6b sha1: 826baa4e17a1155303ce8e6919a5e2390e1eb4af size: 6656
Timestamp1970-01-02 05:45:25
PEhash2f2e5f1cf0eddd1f45a1cff03487754cecb0defb
IMPhash50eeeeddde300914f2e7fa95b9bc05a2
AV360 Safeno_virus
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-EY [Cryp]
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVAuthentiumW32/FakeAlert.JW.gen!Eldorado
AVAvira (antivir)TR/Kazy.8090.A
AVBullGuardGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)FraudTool.Security
AVClamAVTrojan.Fakesec-309
AVDr. WebTrojan.Fakealert.19937
AVEmsisoftGen:Heur.Cridex.2
AVEset (nod32)Win32/Kryptik.JXW
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/FakeAlert.JW.gen!Eldorado
AVF-SecureRogue:W32/VirusDoctor.J
AVGrisoft (avg)FakeAlert.XN
AVIkarusTrojan.Win32.FakeAV
AVK7Trojan ( 001e60c61 )
AVKasperskyTrojan.Win32.FakeAV.aepj
AVMalwareBytesTrojan.FakeAlert
AVMcafeeGeneric FakeAlert.amb
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVRisingno_virus
AVSophosMal/FakeAV-CZ
AVSymantecVirusDoctor!gen1
AVTrend MicroTROJ_FAKEAV.SMID
AVVirusBlokAda (vba32)Trojan.FakeAV.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aA5A1.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\gClMiHc04300\gClMiHc04300.exe
Creates FileC:\f36a04bfa690aeba84cde5f479f19efb57bad14b
Deletes FileC:\f36a04bfa690aeba84cde5f479f19efb57bad14b
Creates Process"C:\Documents and Settings\All Users\Application Data\gClMiHc04300\gClMiHc04300.exe" "C:\malware.exe"
Creates MutexDBWinMutex

Process
↳ "C:\Documents and Settings\All Users\Application Data\gClMiHc04300\gClMiHc04300.exe" "C:\malware.exe"

Network Details:

HTTP GEThttp://91.193.194.40/lurl.php?affid=04300
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 91.193.194.40:80
Flows TCP192.168.1.1:1031 ➝ 91.193.194.40:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 30343330 30204854 54502f31   fid=04300 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 39312e31 39332e31 39342e34   p://91.193.194.4
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2f2a0d   0..Accept: *//*.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452037 2e303b20   ible; MSIE 7.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   47544230 2e303b20 2e4e4554 20434c52   GTB0.0; .NET CLR
0x000000a0 (00160)   20312e31 2e343332 32290d0a 486f7374    1.1.4322)..Host
0x000000b0 (00176)   3a203931 2e313933 2e313934 2e34300d   : 91.193.194.40.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a                              ....


Strings
:$
|
..
Q..V
..
B`
h
I
Ez.
k...
...
.
F
.
..
m.
.
.D.

@'AGa
BAdG
DEa"
d`GB
`ED@
e#Fd
Ge@'
\*(?;%
02HILPTZ
=^02s(
]04]}}
0o+H	b
0R&<}^-
0rjkOW
	0V?_tl
-	>_0z
/-1<+*
12r>_(
1+5vuN
][\1_g
1IHl`Nk@~
.1{\$l
^1P!6F
;1)Slw
:1UU8D
1Vz\Zm@
1zI;SjYc
2=cW`M?
2*dI\s
_2K(Bx^
2mX)M~
2'%{wy
34+D1(.
3DGjz`
3PM&Fk
3Q,/`0
(3._[,s
)..3x<_
4hLoad.
4hmage.
4hryTo.
4hyEnt.
4.|jGj
^4K8]B
4#+N+j0s
4O7	$$
4TDXe"
56kHc\\
5g+dSti
5NPS6~
5tdEaGk
<\5[tm
5.Txtc
>/^5Vm
67NnT|[
>69")!
6B4^}x
6F0h|F4\dF
6h2(gg
6;I9hm
6k~&K_
6n:wI*
\}7~  
7:2Qk,^
7]93KP
7:<9^R
7aGj("
`7VyU!
*7W#J3
8;H}!B
8*/K\?
8l4yy;
8?Po7;
`9@5Q9'
9:74Y.
>?9&eB
9l}q(f
9pm]  
#a~4Mi
|A63agd
ADVAPI32.dll
_&}aGj
aGjP`AR
aGj@&W
aGkH3o
`aGkPV
$Ah$eG
:ajGjv
+$:`AP`
AQDsaiM
</assembly>
  <assemblyIdentity
      <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AZG*ZVB
bA0X	`#
bHbG0\
B$Hg7`
"bjr`g
bO4P8DGj
Br`yT-c
C|#{7L
cBD1_o
c DhWJ
?c|,h&
Ci~knkM\
&	cW`M?1*	
cW`M?321
cW`M?A`_Y
_C,XQu
@.data
DdeDisconnect
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
d!Hg\@
DisconnectNamedPipe
>,'!DJ|
dJ$b7C.
d`k$Hv3
EAb7(P
\EEUUe
e[T;qRd
eu![wI
?EV\"D
F_aG.2
FFzABGy
~Fk`n]
)F	mTK\/{
F*n,B	[
Fq^{`Gk
f>r/0G
FreeConsole
F~XaGk
>?#FXbGk
G2^jFh
G)45Yau0
`G5*70-
gcGA	r
g(Cl8hn
gDTc|3
GetNativeSystemInfo
>GetP.
G>`~F<bBF
`GG[2k
G*#`Gj
`GjbhR/$
`GjH<7j
`GjRG11
`Gj|XU	.
`G~"k|
`Gk&>#
\<*`Gk
`G}K{>\$_
`Gk2}2
`G$k4e-h
`G+Kj-
`GkLLy
"@^Gk^O>
`Gkp,_
`Gk(xL,
Gk@Zms`
:Gkzy<
`Gm,)=>
`G"|mO+
g/	_oR
`Gq:.m
`GzB0on
gz<:Y~5;E=S
,()++$H
H2qk|(
h5qzh'
H&.aGK
Hd6^Gs
hData.
HI1xwn5#
/Hi)f6J
\hJ`Gk
hlAll.
hLibr.
hntdl.
hO-f[h
hOhVlz
`}h&{r
HV*b7`
'I#-2|!p
=i3y_)
-:i]8@
iaGjQ7\
i`cjD0
/I|II{]x5
I.I"z5
IJLrvQn
IkK)A7d70c
It{zm<(
I;ulw;
j6v;j:r5k
j(cGZ'E
`j:`G9
j*`G	},h
j@\GwJ
j@JGF+6
j`jGT)$
jlF`Gj
j`nGSz	
jujluKmC
j^Vs%o
jx$cx!
jz`GN6
KE9OG?
KERNEL32.dll
]K i}n
kJ:qe>N
k+q1?v!B
*K^Qf@
(k.q;Y
K)sxZ,c
L*3x.b
        language="*"
#lay7.
l[C2A	;
LD%aGj
          level="asInvoker"
#}LhLS$oA
"lj<yd/H
LQ@9hi
]L@Q=e
lQ K1O"
lUX;	{
	mhn]N
Mq];mP
Mr{O1"
("M?V(4
m^\x_!!
$NaJ5aG
    name="DelphiApplication"
        name="Microsoft.Windows.Common-Controls"
n!^G.@j
*nHN~G
ni\jFk
}NIrtQ
(Nk"&+
N`laGj
NlTr+5[h-{6
	N_Nkj
?N}p^9
-npd K8
NT.i[}
nXhosN
])[nZ|[
nzP/$trF?W|
o^6<7G
oA jXb
ODBC32.dll
!oepjU
O@gyOW
ojt)mL
On5mK:w
O s%z!
OutputDebugStringW
;oWO<_
:p	hG/r}W\
p.k5fL
=>PltR
}po7:G
        processorArchitecture="*"/>
    processorArchitecture="*"/>
        publicKeyToken="6595b64144ccf1df"
`}p<Ui;&
P`W]y`
qdbsFj
QP=2w4C
qpM6	%
)[qq	ZOQ
QsG*?`1oV
QueryPerformanceFrequency
_)qWq&
`QX~e8vho
qX}W `
Qzi<V4
`.rdata
RegCloseKey
RegCreateKeyExW
RegOpenKeyExA
RegQueryValueExA
RegSetValueExW
        <requestedExecutionLevel
      </requestedPrivileges>
      <requestedPrivileges>
rGEe|s
rGk05Q
!R\IG/2
)RnH52o
>rocA.
/]rRT.HE
S1_>CaGj
SB&5Nmt
    </security>
    <security>
Sf-#[k
sMW]4?
sM)Z<O
SPo,2C
SQLBulkOperations
%SSY#l<'
s:~z*k
	&t?*{
t9&nj<%
t,~ aGk
!This program cannot be run in DOS mode.
tJ)ujh/q
tNF0nPF2d@F
|tNNXP&
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TtY_nJ
tVkZ;Kz
Tx8v%o
T*XL%J
        type="win32"
    type="win32"
u0]4`.
u(~-fH
UHt]I.K
          uiAccess="false"/>
U>j%Gj
u>loFk
=UNMq>
uP4w~j
U|qq="
U;s6KW
USER32.dll
U~z8(%
V3z./X:
:v5LI6e
V76J5M
    version="1.0.0.0"
        version="6.0.0.0"
vFF0^bF0^dF
vGjdI$A"9
}vHNO6G
vj`kG4{
V*^S?Z
VUKV*hQD
VWL)uv
vX8-.'
W}$]0T
\W24-Thp
waWo(.
	Wf`Gc*
W~GjTH
]wH(5S
`Wi@7t=qz.4
Wkz,!!
w`n.+	(&*/dK
WP;/MP0
w{q!_p
+W:TW2"
wxj@^'
X0K)0t
X3%TxW
xdTA7Qk@Zu
XfWaGk
X?`Gj@
xIcGk&#Nb
-x.I-L
xl	HO 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
x.N/+W
_XQixG)
X|>y!!
<<\;Y{
y.0h[~
Y(2n`Gk
}y3tJL
Y56?Q#
y.9ljCs
:^,y}A
<[yH\)
yhHI/$
yi-R=T
]y.mMf
YOYF@j
YQ_f}@@^Gj
Yr8o9*;J3M
@YSG8#'Gk
y({T`C
Y%UwdY\6nD%
yy;B<E
z1g%+C
$<z2MC
$(@ZGk
Zk*`S?
zOH27UW
;.Zu)6
zv;QTm